Pygmy Goat Malware Targets Sophos Firewalls: NCSC Issues Alert
The United Kingdom’s National Cyber Security Centre (NCSC) has released a report on the malware “Pygmy Goat,” designed to breach Sophos XG firewall network devices. This malware has been used in attacks attributed to Chinese hackers.
Last week, Sophos detailed years-long attacks by Chinese groups targeting network perimeter devices. A central tool in these attacks is a rootkit—a malicious program disguised as Sophos files, embedded in devices for clandestine access. The malware is complex, employing advanced techniques to conceal and maintain device access.
Although the NCSC report does not directly identify specific hacker groups, the described tactics resemble the “Castletap” technique, which Mandiant has associated with Chinese intelligence services. Sophos also confirmed the use of this rootkit in 2022 attacks linked to the hacking group “Tstark.”
Sophos researchers found two instances of the malicious “libsophos.so” file, which exploited the CVE-2022-1040 vulnerability (CVSS score: 9.8) in Sophos Firewall. One compromised device belonged to a critical government entity, while the other was with its technology partner.
“Pygmy Goat” is a hacking tool in the form of the “libsophos.so” file, granting hackers covert access to Linux-based devices, including the Sophos XG firewall. The malware uses the LD_PRELOAD environment variable to load its code into the SSH daemon (sshd) and intercept functions responsible for handling incoming connections.
The program monitors SSH traffic for so-called “magic bytes” in the first 23 bytes of each packet. When such a sequence is detected, the connection is identified as a backdoor session, and the program redirects it to an internal Unix socket for communication with the command server.
The malware also listens on an ICMP socket, awaiting encrypted packets containing an IP and port for connecting to the command server, after which it initiates a reverse connection via TLS. To evade detection, “Pygmy Goat” uses a counterfeit certificate resembling FortiGate CA from Fortinet to blend into network environments with Fortinet devices.
Upon establishing an SSH connection, the malware simulates data exchanges to appear legitimate on monitoring tools. The command server can instruct “Pygmy Goat” to perform tasks such as launching a command shell, capturing network traffic, managing cron jobs, and setting up a reverse SOCKS5 proxy for covert data exchange.
The NCSC report includes file hashes, YARA and Snort rules for early detection of “Pygmy Goat” activity. It also recommends monitoring files such as /lib/libsophos.so, /tmp/.sshd.ipc, and encrypted ICMP packets, as well as the use of LD_PRELOAD in sshd processes, which may indicate infection by this malware.